New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

[MacRumors]

The US National Institute for Standards and Technology has released a new draft of its Digital Authentication Guideline, which sets the rules that all authentication software eventually follows. In the document, NIST deprecates the implementation of SMS as a method with which users validate a second level of security on various accounts, "no longer" allowing its use in future guidelines as it is considered not secure enough (via TechCrunch).

Two-factor authentication via SMS (left) and an alternative trusted iOS device (right)​

Setting up two-factor authentication through text messages is one of the most popular ways users add another layer of security onto an account, on top of a basic password, including those for Apple's own software, like Apple ID and iCloud. Other than SMS, Apple allows users to implement two-factor authentication through a simple push notification sent to another "trusted device," or a phone call.

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

The new guidelines also make a point for companies to ensure that two-factor authentication notifications aren't going through a VoIP service, which could be easily compromised. NIST also includes "limited use" of biometrics as a way for users to gain access to their second layer of authentication, meaning Apple could pivot to Touch ID as an alternative if SMS support for the security feature officially comes to an end.

Article Link: New U.S. Guidelines Could Halt Use of SMS for Two-Factor Authentication

 

[macsrcool1234]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

 

[2457282]

I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week.

 

[73b]

Touch ID is already so easy and secure, people should just use that.

 

[gwhizkids]

But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!

 

[John Mcgregor]

Apple can send an iMessage.

 

[zonk44]

Misleading article. The deprecation of SMS as authentication method is not about two factor authentication, but authentication in general. So single factor authentication through SMS will of course also be deprecated (Example: WhatsApp)

 

[Iconoclysm]

I thought our government was trying to weaken security so they can access our phones. Who at NIST made this mistake of proposing a verification process that was more secure? Probably fired by the end of the week.

If the government convinces you to use TouchID, they can force you to unlock your phone without a PIN.

 

[bdhokie]

While it may not be perfect, the suggestion everyone should use an app eliminates any two factor authentication for small companies /developers who may not have those resources starting out. Instead of deprecating SMS, which is better than nothing, why not recommend it as a last resort?

 

[ArtOfWarfare]

But its a much better way than doing nothing at all. Personally, we need to get to a whole new paradigm of authentication, period. Deprecate the password!

I agree with this, but then you hit the problem of, okay, if not passwords, then how do you authenticate?

 

[big-ted]

Good.

SMS is a piss poor way of doing 2FA and lazy companies need to move towards apps such as google authenticator, authy, e.g.

You are assuming that everyone on the planet has a smart phone

 

[ARB4]

Apple may use SMS as an option in its Two-Step Authentication, but not in their Two-Factor Authentication.

 

[Apoxie]

This is a bad decision. It will just lead to people not doing 2FA instead. I don't want an app for each service or some physical token generator or be bound to the use of a specific brand of phone.

2FA should be easy, also across multiple services and devices. SMS spans that beautifully.

There should of course be an option to do it even more secure then SMS, but SMS should also be on the plate as a "low security" 2FA instead of doing nothing.

 

[MrX8503]

There needs to be a two step authentication any time you talk to carrier customer service.

The reason why SMS two step isn't safe is because your phone number can be re routed without your knowledge. Having said that, does anyone know how to disable iMessage authentication?

Pro Tip: 1password can act as a authenticator app. No need for Google Auth app or Authy.

 

[bushido]

Apple may use SMS as an option in its Two-Step Authentication, but not in their Two-Factor Authentication.

I still dont understand the difference between those two. the names alone are confusing

 

[gsmornot]

This is a bad decision. It will just lead to people not doing 2FA instead. I don't want an app for each service or some physical token generator or be bound to the use of a specific brand of phone.

2FA should be easy, also across multiple services and devices. SMS spans that beautifully.

There should of course be an option to do it even more secure then SMS, but SMS should also be on the plate as a "low security" 2FA instead of doing nothing.

I think people that are aware of 2 factor will do the work required to learn the requirements. Most people (that I know) have no idea what 2FA is much less care if it uses SMS. If SMS is less secure then lets move on and go through the process of learning to deal with the alternative. Making everything easier has created this process where people allow themselves to be less intelligent because its hard to follow along.

 

[ARB4]

I still dont understand the difference between those two. the names alone are confusing

Agreed. I think the former is only around because the latter really only works with iOS9 and above. Two-Factor also doesn't include offline recovery key or app-specific passwords.

 

[gsmornot]

I still dont understand the difference between those two. the names alone are confusing

The names are what make it easy to follow. One simply requires two steps to complete the entry. Do this, then this.
Two factor on the other hand is to have two somethings...something you know, something you have, or something you are. In other words, a password, your physical device and/or your biometric identity. Someone may have your password but not your device for example. With two step, if they have your SIM cloned and request the code for entry, they will receive it. This is why SMS can be an issue.

 

[Robert.Walter]

I still dont understand the difference between those two. the names alone are confusing

I just realized I thought I knew the difference but don't, and I read the documentation and I use them.

I guess I need to go back and study them, because at this point, I couldn't explain the difference to someone.

 

[attila]

Touch ID is already so easy and secure, people should just use that.

But how do I use touchID to authenticate a webpage on my laptop?

 

[CFreymarc]

There have been public-private key encryption standards for SMS messages going back twenty years. Not a single carrier has implemented in on their network. Implement that and you can use SMS messages to verify without compromise.

 

[EricTheHalfBee]

Apple can send an iMessage.

They "could", but why bother when they can send a notification to a trusted device? To me this is far superior to SMS or using an App. People could clone a SIM and get an SMS. Going to be hard to clone an Apple Device ID to try and catch your notifications.

 

[MallardDuck]

Apple's implementation does not use SMS - please correct the article. If it were SMS, it'd appear as a green text in iMessage, rather than the popup that does happen.

But more importantly, while the article rightly points out that SMS can be spoofed or intercepted, it completely ignores the question of 'is it secure enough'? For nuclear launch codes, no, agree it's not. But for securing a gmail account? It's the best option available at the moment.

 

[John Mcgregor]

They "could", but why bother when they can send a notification to a trusted device? To me this is far superior to SMS or using an App. People could clone a SIM and get an SMS. Going to be hard to clone an Apple Device ID to try and catch your notifications.

But how do you setup a trusted device? To have a trusted device you first have to go through this process on that device.

 

[Jst1man]

NIST is a a bit over zealous. Nothing new. Remember that SMS and 2nd calls are for primary Authentication and not 2nd. This is a case of the user having to much control over their own devices. God forbid that a user choose not to put junk on their phone. It's almost like they are setting us up.